Security Information and Event Management (SIEM)

Transcription

1 Security Information and Event Management (SIEM) D r. A n d r ej R ak ar SANS GCIH, RSA envision CSE, MCP, MCSA, ISS Expert

2 S ecu r ity I n for m ation an d E v en t M an ag em en t (SIEM) SIEM Role in ISMS RSA envision Presentation SIEM Integration in Information System

3 T h e E n ter p r ise T od ay M ou n tain s of data, m an y stak eholders Malicious Code Detection Real-Time Monitoring Spyware detection Troubleshooting Access Control Enforcement Configuration Control Privileged User Management Lockdown enforcement Unauthorized Service Detection False Positive Reduction IP Leakage Web server activity logs User Monitoring Switch logs Web cache & proxy logs SLA Monitoring Content management logs How to collect & protect all the data necessary to build platform How to analyze and amanage allfor the compliance, and data to transform security, it into information network operations VA Scan logs Windows domain logins Windows logs IDS/IDP logs Router logs VPN logs Firewall logs Wireless access logs Oracle Financial Logs Mainframe logs Linux, Unix, Windows OS logs Client & file server logs DHCP logs San File Access Logs VLAN Access & Control logs Database Logs

4 C h allen g e: G r ow th of E n ter p r ise S ilos R edu n dan t I n form ation M an agem en t COMMERCIAL INTERNAL APPLICATIONS APPLICATIONS OPERATING SYSTEMS SECURITY INFORMATION NETWORK INFORMATION DATABASE SYSTEMS STORAGE

5 C h allen g es I n for m ation S ecu r ity Challenge to get up-to-date metrics for Security Status Countless hours spent gathering, understanding, security logs from disparate systems Incident response is ad- hoc, manual and inefficient Data overload causes reactive security measures I T C om p lian ce R ep or tin g Creating reports is time- consuming, laborintensive and error-prone Sr. management expects to cut compliance costs IT governance is reactive, not proactive

6 R equ ir em en ts an d O bjectiv es I m p r ov e P r oof-o f-c om p lian ce r ep or tin g of I T con tr ols S y stem m on itor in g an d su p er v ision n etw or k con tr ols, ap p lication s E fficien t m an ag em en t of secu r ity r isk s r eal-tim e secu r ity aler ts C u ttin g com p lian ce costs by r ep lacin g m an u al p r ocesses w ith h olistic solu tion for con tin u ou s secu r ity in for m ation an d ev en t m an ag em en t

7 S I E M for M on itor in g an d I m p r ov em en t of I S M S ISMS Information Security Management System Information security managemnt system documentation information security policy inventory of assests risk analysis report statement of applicability policies, procedures and standards SLA, contracts Review and improvement controlled by process documentation Bussiness processes SIEM EVENTS security incidents vulnerability malfunctions audit results sec. assessment results Proving documentation Analysis

8 S I E M for S im p lify in g C om p lian ce Compliance Environment HIPAA GLBA BASEL II FISMA PCI SarbanesOxley Compliance Objective Access Control Enforcement Configuration Control Malicious Code Detection User Monitoring & Management Policy Enforcement Environmental & Transmission Security = Critical to this compliance environment = Highly desired in compliance environment Privileged user monitoring Unauthorized user access Change control lockdown enforcement Unapproved software monitoring Anomaly monitoring against baselines Reporting of outbreaks Monitor user privileges Enforcement of account policies Verify user activity against policy Prevent information leakage Secure data transmissions Proactive security of the network Product Capabilities Log Management Asset Identification Baseline Report & Audit Alert / Correlate Forensic Analysis Incident Management

9 S I E M for E n h an cin g S ecu r ity O p er ation s Security Environment Internal Systems & Applications ecommerce Operations Perimeter Network Operations Security Objective Access Control Enforcement Real-time Monitoring False Positive Reduction Correlated Threat Detection Watchlist Enforcement Unauthorized Network Service Detection SLA Compliance Monitoring = Most critical = Highly desired = Desired Privileged user monitoring Corporate policy conformance Troubleshoot network & security events What is happening? Confirm IDS alerts Enable critical alert escalation Watch remote network areas Consolidate distributed IDS alerts External threat exposure Internal investigations Shutdown rogue services Intellectual property leakage Proof of delivery Monitor against baselines Product Capabilities Log Management Asset Identification Baseline Report & Audit Alert / Correlate Forensic Analysis Incident Management

10 How to ensure that security measures are really implemented? What and when happened, should actions be taken? P r oblem s: lengthy collection, management and understanding of security logs incident management is manual, inefficient and unsystematic large number of data prevents timely measures and actions determining current security status of information system is demanding generating reports is time consuming, demanding, and prone to mistakes

11 SIEM Role in ISMS RSA envision Presentation SIEM Integration in Information System

12 A d v an tag es of R S A en V ision S olu tion R eal tim e ev en t m an ag em en t R eal tim e ev en t cor r elation A u tom atic d iscov er y of secu r ity in cid en ts S u p p or t for lar g e n u m ber of sy stem s an d p ossibility to in teg r ate u n k n ow n d ev ices >1000 p r econ fig u r ed r ep or ts com p lian t w ith B asel I I, P C I, I S O 27001, S O X, etc. lar g est m ar k et p r esen ce for S I E M

13 R S A en V ision S calability 300, LS Series EPS ES Series # DEVICES ,000

14 R S A en V ision A r ch itectu r e

15 R S A en V ision an d L og S m ar t I P D B A ll the D ata w ith C on sisten tly H igh Perform an ce Data Loss io n p Un Authenticated re Compressed bl e ts er Al Relational Database ta dic D a at s lo p Ex Parallel analysis Encrypted LogSmart IPDB

16 D ata C ap tu r e A g en tless D ata C ap tu r e L ow est p ossible im p act to th e en ter p r ise S m aller attack su r face by r edu cin g n u m ber of activ e elem en ts I n cr eases accu r acy by r ed u cin g /elim in atin g blin d sp ots R aw D ata C ap tu r e WORM D ata in teg r ity v ia W r ite O n ce R ead M an y ( W O R M ) desig n I n cr eases accu r acy by r ed u cin g /elim in atin g data m u n g in g P er m its data to be r e-p u r p osed as n eeded S u p p or ts both leg al an d for en sic ev id en ce d iscov er y U n iv er sal D ev ice S u p p or t ( U D S ) D eliv er s v er y br oad sou r ce dev ice su p p or t P r ov id es easy m ech an ism to k eep existin g dev ices u p to d ate A bstr acts 100K + ev en ts in to distin ct categ or ies for

17 A n aly sis an d E v en t M an ag em en t I n tellig en t D ata M in in g & R aw E v en t V iew in g B oth r eal-tim e an d h istor ical ev en ts can be an aly zed H ig h ly cu stom izable to m atch in div id u al con su m er r eq u ir em en ts R ole-based access con tr ol C on sisten t p er for m an ce in dep en den t of in com in g E P S r ate A dv an ced E v en t C or r elation & A ler tin g R eal-tim e an aly sis acr oss an y / all dev ice ty p e or ev en ts L ev er ag es com p r eh en siv e ev en t taxon om y S u p p or ts both an om aly an d sig n atu r e-based cor r elation log ic C on sisten t p er for m an ce in dep en den t of in com in g E P S r ate R ep or tin g E n g in e O ffer s both r u n -tim e an d sch edu led r ep or ts A n aly zes an d r ep or ts on both detail an d su m m ar y ty p e in for m ation D edicated r ep or tin g p ack ag es for sp ecific in du str y r eq u ir em en ts S O X, P C I, H I P A A, G L B A, S A S 70, etc. >1000 r ep or ts & ch ar ts sh ip w ith p r odu ct W izar d G U I for cu stom ization

18 S I E M R ep or tin g Gain Needed Insight Into IT Controls D iscov er tr en d s, an om alies T r ack an d r ep or t secu r ity - r elated activ ity on assets im p acted by S ar ban eso xley, oth er r eg u lation s Improve Proof-of-Compliance Reporting D em on str ate O r g an ization M on itor s Y ou r activ ity on cr itical I T assets I den tifies an d an aly zes secu r ity an d com p lian ce in cid en ts T r ack s an d r esolv es in ciden ts an d p olicy v iolation s Out-of-Box Reports, Configure Existing Reports, Create Your Own

19 R S A en V ision S tan d ar d R ep or ts

20 SIEM Role in ISMS RSA envision Presentation SIEM Integration in Information System

21 D r iv er s for I m p lem en tin g S I E M S olu tion s M itig atin g secu r ity r isk s E n d u ser exp ectation s R eg u lator y com p lian ce A d ap tability an d bu sin ess ag ility C ost con tain m en t

22 S I E M I n teg r ation in I n for m ation S y stem Legislation Standards Security policy correlations Incident management incidents reporting by incidents events HELP DESK events Monitoring system events data servers web servers databases applications routers firewalls IDS/IPS

23 I n teg r ation of E v en ts, S y stem s an d I d en tity M an ag em en t Security Information & Event Management Systems Comprehensive Security & Compliance Identity & Access Management Management

24 I n teg r ation of L og s fr om N etw or k D ev ices > Syslog, Syslog NG > SNMP > Formatted log files >Comma/tab/space delimited, other > ODBC connection to remote databases > Push/pull XML files via HTTP > Windows event logging API > CheckPoint OPSEC interface > Cisco IDS POP/RDEP/SDEE B-2

25 I n teg r ation w ith N etw or k M an ag em en t S y stem s I n teg r ation w ith n etw or k m an ag em en t sy stem s ( S M S, M O M, etc.) M on itor in g : d efin ition an d clasification of in cid en ts C r eate in ciden t U p date in cid en t C lose in ciden t M an ag em en t: con solid ate asset d atabase S y n ch r on ization

26 I n teg r ation w ith I d en tity M an ag em en t S y stem s (IM) Badge readers Alerts Reports Dashboards Apps Directory Directory User Provisioning Access Control Federated SSO Roles Rules Policies Correlation Rules Pattern Discovery Risk Scoring Databases Web Unified User/Role Information Normalized Event Collection Files Directory IM System SIEM System Desktops Etc.

27 S I E M I m p lem en tation B est P r actices R equ ir em en ts an aly sis w ith clear ly d efin ed objectiv es an d bu sin ess p r ocesses I n v olv e r ig h t p eop le d u r in g p r oject execu tion G r ad u al im p lem en tation based on p r ocess sig n ifican ce an d cr iticality M an d ator y tr ain in g an d n otification of all in v olv ed C on tin u ou s m on itor in g an d ad ap tation to ch an g es in th e

28 Q u estion s? andrej.rakar@astec.si